Mobile computing devices can store large amounts of data, are highly portable and are frequently unprotected: They are easy to steal or lose, and unless precautions are taken, an unauthorized person can gain access to the information stored on them or accessed through them. Even if not stolen or lost, intruders can sometimes gain all the access they need if the device is left alone and unprotected, if data is “sniffed out of the air” during wireless communications, or if malware is installed. The results can include crippled devices, personal data loss, disclosure of data, and disciplinary actions for the device owner.
Mobile computing devices are of concern both because of the data that might be stored on them, and because they may provide access to other services that store or display non-public data. This access may be enabled because the mobile device contains passwords or security certificates that identify the device or its user to the email system, Virtual Private Networks (VPNs), or other applications.
Mobile security or mobile phone security has become increasingly important in mobile computing. It is of particular concern as it relates to the security of personal and business information now stored on smartphones.
More and more users and businesses employ smartphones as communication tools, but also as a means of planning and organizing their work and private life. Within companies, these technologies are causing profound changes in the organization of information systems and therefore they have become the source of new risks. Indeed, smartphones collect and compile an increasing amount of sensitive information to which access must be controlled to protect the privacy of the user and the intellectual property of the company.
All smartphones, as computers, are preferred targets of attacks. These attacks exploit weaknesses related to smartphones that can come from means of communication like Short Message Service (SMS, aka text messaging), Multimedia Messaging Service (MMS), Wi-Fi networks, Bluetooth and GSM, the de facto global standard for mobile communications. There are also attacks that exploit software vulnerabilities from both the web browser and operating system. Finally, there are forms of malicious software that rely on the weak knowledge of average users.
Different security counter-measures are being developed and applied to smartphones, from security in different layers of software to the dissemination of information to end users. There are good practices to be observed at all levels, from design to use, through the development of operating systems, software layers, and downloadable apps.
Attacks on Mobile
Attack based on SMS and MMS
Some attacks derive from flaws in the management of SMS and MMS. Some mobile phone models have problems in managing binary SMS messages. It is possible, by sending an ill-formed block, to cause the phone to restart, leading to denial of service attacks. If a user with a Siemens S55 received a text message containing a Chinese character, it would lead to a denial of service. In another case, while the standard requires that the maximum size of a Nokia Mail address is 32 characters, some Nokia phones did not verify this standard, so if a user enters an email address over 32 characters, that leads to complete dysfunction of the e-mail handler and puts it out of commission. This attack is called “curse of silence”. A study on the safety of the SMS infrastructure revealed that SMS messages sent from the Internet can be used to perform a distributed denial of service (DDoS) attack against the mobile telecommunications infrastructure of a big city. The attack exploits the delays in the delivery of messages to overload the network.
Another potential attack could begin with a phone that sends an MMS to other phones, with an attachment. This attachment is infected with a virus. Upon receipt of the MMS, the user can choose to open the attachment. If it is opened, the phone is infected, and the virus sends an MMS with an infected attachment to all the contacts in the address book. There is a real world example of this attack: the virus Commwarrior uses the address book and sends MMS messages including an infected file to recipients. A user installs the software, as received via MMS message. Then, the virus began to send messages to recipients taken from the address book.
Attacks based on the GSM networks
The attacker may try to break the encryption of the mobile network. The GSM network encryption algorithms belong to the family of algorithms called A5. Due to the policy of security through obscurity it has not been possible to openly test the robustness of these algorithms. There were originally two variants of the algorithm: A5/1 and A5/2 (stream ciphers), where the former was designed to be relatively strong, and the latter was designed to be weak on purpose to allow easy cryptanalysis and eavesdropping. ETSI forced some countries (typically outside Europe) to use A5/2. Since the encryption algorithm was made public, it was proved it was possible to break the encryption: A5/2 could be broken on the fly, and A5/1 in about 6 hours . In July 2007, the 3GPP approved a change request to prohibit the implementation of A5/2 in any new mobile phones, which means that is has been decommissioned and is no longer implemented in mobile phones. Stronger public algorithms have been added to the GSM standard, the A5/3 and A5/4 (Block ciphers), otherwise known as KASUMI or UEA1 published by the ETSI. If the network does not support A5/1, or any other A5 algorithm implemented by the phone, then the base station can specify A5/0 which is the null-algorithm, whereby the radio traffic is sent unencrypted. Even in case mobile phones are able to use 3G or 4G which have much stronger encryption than 2G GSM, the base station can downgrade the radio communication to 2G GSM and specify A5/0 (no encryption) . This is the basis for eavesdropping attacks on mobile radio networks using a fake base station commonly called an IMSI catcher.
In addition, tracing of mobile terminals is difficult since each time the mobile terminal is accessing or being accessed by the network, a new temporary identity (TMSI) is allocated to the mobile terminal. The TSMI is used as identity of the mobile terminal the next time it accesses the network. The TMSI is sent to the mobile terminal in encrypted messages.
Once the encryption algorithm of GSM is broken, the attacker can intercept all unencrypted communications made by the victim’s smartphone.
Attacks based on Wi-Fi
An attacker can try to eavesdrop on Wi-Fi communications to derive information (e.g. username, password). This type of attack is not unique to smartphones, but they are very vulnerable to these attacks because very often the Wi-Fi is the only means of communication they have to access the internet. The security of wireless networks (WLAN) is thus an important subject. Initially wireless networks were secured by WEP keys. The weakness of WEP is a short encryption key which is the same for all connected clients. In addition, several reductions in the search space of the keys have been found by researchers. Now, most wireless networks are protected by the WPA security protocol. WPA is based on the “Temporal Key Integrity Protocol (TKIP)” which was designed to allow migration from WEP to WPA on the equipment already deployed. The major improvements in security are the dynamic encryption keys. For small networks, the WPA is a “pre-shared key” which is based on a shared key. Encryption can be vulnerable if the length of the shared key is short. With limited opportunities for input (i.e. only the numeric keypad) mobile phone users might define short encryption keys that contain only numbers. This increases the likelihood that an attacker succeeds with a brute-force attack. The successor to WPA, called WPA2, is supposed to be safe enough to withstand a brute force attack.
As with GSM, if the attacker succeeds in breaking the identification key, it will be possible to attack not only the phone but also the entire network it is connected to.
Many smartphones for wireless LANs remember they are already connected, and this mechanism prevents the user from having to re-identify with each connection. However, an attacker could create a WIFI access point twin with the same parameters and characteristics as the real network. Using the fact that some smartphones remember the networks, they could confuse the two networks and connect to the network of the attacker who can intercept data if it does not transmit its data in encrypted form.
Lasco is a worm that initially infects a remote device using the SIS file format. SIS file format (Software Installation Script) is a script file that can be executed by the system without user interaction. The smartphone thus believes the file to come from a trusted source and downloads it, infecting the machine.
Principle of Bluetooth-based attacks
Security issues related to Bluetooth on mobile devices have been studied and have shown numerous problems on different phones. One easy to exploit vulnerability: unregistered services do not require authentication, and vulnerable applications have a virtual serial port used to control the phone. An attacker only needed to connect to the port to take full control of the device. Another example: a phone must be within reach and Bluetooth in discovery mode. The attacker sends a file via Bluetooth. If the recipient accepts, a virus is transmitted. For example: Cabir is a worm that spreads via Bluetooth connection. The worm searches for nearby phones with Bluetooth in discoverable mode and sends itself to the target device. The user must accept the incoming file and install the program. After installing, the worm infects the machine.
Password cracking
In 2010, researcher from the University of Pennsylvania investigated the possibility of cracking a device’s password through a smudge attack (literally imaging the finger smudges on the screen to discern the user’s password). The researchers were able to discern the device password up to 68% of the time under certain conditions.
Malicious software (malware)
As smartphones are a permanent point of access to the internet (mostly on), they can be compromised as easily as computers with malware. A malware is a computer program that aims to harm the system in which it resides. Trojans, worms and viruses are all considered malware. A Trojan is a program that is on the smartphone and allows external users to connect discreetly. A worm is a program that reproduces on multiple computers across a network. A virus is malicious software designed to spread to other computers by inserting itself into legitimate programs and running programs in parallel. However, it must be said that the malware are far less numerous and important to smartphones as they are to computers.
Web browser
The mobile web browser is an emerging attack vector for mobile devices. Just as common Web browsers, mobile web browsers are extended from pure web navigation with widgets and plug-ins, or are completely native mobile browsers.
Jailbreaking the iPhone with firmware 1.1.1 was based entirely on vulnerabilities on the web browser. As a result, the exploitation of the vulnerability described here underlines the importance of the Web browser as an attack vector for mobile devices. In this case, there was a vulnerability based on a stack-based buffer overflow in a library used by the web browser (Libtiff).
A vulnerability in the web browser for Android was discovered in October 2008. As the iPhone vulnerability above, it was due to an obsolete and vulnerable library. A significant difference with the iPhone vulnerability was Android’s sandboxing architecture which limited the effects of this vulnerability to the Web browser process.
Smartphones are also victims of classic piracy related to the web: phishing, malicious websites, etc. The big difference is that smartphones do not yet have strong antivirus software available.
Operating system
Sometimes it is possible to overcome the security safeguards by modifying the operating system itself. These attacks are difficult.
In 2004, vulnerabilities in virtual machines running on certain devices were revealed. It was possible to bypass the bytecode verifier and access the native underlying operating system. The results of this research were not published in detail. The firmware security of Nokia’s Symbian Platform Security Architecture (PSA) is based on a central configuration file called SWIPolicy. In 2008 it was possible to manipulate the Nokia firmware before it is installed, and in fact in some downloadable versions of it, this file was human readable, so it was possible to modify and change the image of the firmware. This vulnerability has been solved by an update from Nokia.
In theory smartphones have an advantage over hard drives since the OS files are in ROM, and cannot be changed by malware. However, in some systems it was possible to circumvent this: in the Symbian OS it was possible to overwrite a file with a file of the same name. On the Windows OS, it was possible to change a pointer from a general configuration file to an editable file.
When an application is installed, the signing of this application is verified by a series of certificates. One can create a valid signature without using a valid certificate and add it to the list. In the Symbian OS all certificates are in the directory: c:\resource\swicertstore\dat. With firmware changes explained above it is very easy to insert a seemingly valid but malicious certificate.
Countermeasures
The security mechanisms in place to counter the threats described above are presented in this section. They are divided into different categories, as all do not act at the same level, and they range from the management of security by the operating system to the behavioral education of the user. The threats prevented by the various measures are not the same depending on the case. Considering the two cases mentioned above, in the first case one would protect the system from corruption by an application, and in the second case the installation of a suspicious software would be prevented.
Security in operating systems
The first layer of security within a smartphone is at the level of the operating system (OS). Beyond the usual roles of an operating system (e.g. resource management, scheduling processes) on a smartphone, it must also establish the protocols for introducing external applications and data without introducing risk.
A central idea found in the mobile operating systems is the idea of a sandbox. Since smartphones are currently being designed to accommodate many applications, they must put in place mechanisms to ensure these facilities are safe for themselves, for other applications and data on the system, and the user. If a malicious program manages to reach a device, it is necessary that the vulnerable area presented by the system be as small as possible. Sandboxing extends this idea to compartmentalize different processes, preventing them from interacting and damaging each other. Based on the history of operating systems, sandboxing has different implementations. For example, where iOS will focus on limiting access to its public API for applications from the App Store by default, Managed Open In allows you to restrict which apps can access which types of data. Android bases its sandboxing on its legacy of Linux and TrustedBSD.
Rootkit Detectors
The intrusion of a rootkit in the system is a great danger in the same way as on a computer. It is important to prevent such intrusions, and to be able to detect them as often as possible. Indeed, there is concern that with this type of malicious program, the result could be a partial or complete bypass of the device security, and the acquisition of administrator rights by the attacker. If this happens, then nothing prevents the attacker from studying or disabling the safety features that were circumvented, deploying the applications they want, or disseminating a method of intrusion by a rootkit to a wider audience. We can cite, as a defense mechanism, the Chain of trust in iOS. This mechanism relies on the signature of the different applications required to start the operating system, and a certificate signed by Apple. In the event that the signature checks are inconclusive, the device detects this and stops the boot-up. If the Operating System is compromised due to Jailbreaking, root kit detection may not work if it is disabled by the Jailbreak method or software is loaded after Jailbreak disables Rootkit Detection.
Process isolation
Android uses mechanisms of user process isolation inherited from Linux. Each application has a user associated with it, and a tuple (UID, GID). This approach serves as a sandbox: while applications can be malicious, they can not get out of the sandbox reserved for them by their identifiers, and thus cannot interfere with the proper functioning of the system. For example, since it is impossible for a process to end the process of another user, an application can thus not stop the execution of another.
File permissions
From the legacy of Linux, there are also filesystem permissions mechanisms. They help with sandboxing: a process can not edit any files it wants. It is therefore not possible to freely corrupt files necessary for the operation of another application or system. Furthermore, in Android there is the method of locking memory permissions. It is not possible to change the permissions of files installed on the SD card from the phone, and consequently it is impossible to install applications.
Memory Protection
In the same way as on a computer, memory protection prevents privilege escalation. Indeed, if a process managed to reach the area allocated to other processes, it could write in the memory of a process with rights superior to their own, with root in the worst case, and perform actions which are beyond its permissions on the system. It would suffice to insert function calls are authorized by the privileges of the malicious application.
Development through runtime environments
Software is often developed in high-level languages, which can control what is being done by a running program. For example, Java Virtual Machines continuously monitor the actions of the execution threads they manage, monitor and assign resources, and prevent malicious actions. Buffer overflows can be prevented by these controls.
Security software
Above the operating system security, there is a layer of security software. This layer is composed of individual components to strengthen various vulnerabilities: prevent malware, intrusions, the identification of a user as a human, and user authentication. It contains software components that have learned from their experience with computer security; however, on smartphones, this software must deal with greater constraints.
Antivirus and firewall
An antivirus software can be deployed on a device to verify that it is not infected by a known threat, usually by signature detection software that detects malicious executable files. A firewall, meanwhile, can watch over the existing traffic on the network and ensure that a malicious application does not seek to communicate through it. It may equally verify that an installed application does not seek to establish suspicious communication, which may prevent an intrusion attempt.
Visual Notifications
In order to make the user aware of any abnormal actions, such as a call they did not initiate, one can link some functions to a visual notification that is impossible to circumvent. For example, when a call is triggered, the called number should always be displayed. Thus, if a call is triggered by a malicious application, the user can see, and take appropriate action.
Biometric identification
Another method to use is biometrics. Biometrics is a technique of identifying a person by means of their morphology(by recognition of the eye or face, for example) or their behavior (their signature or way of writing for example). One advantage of using biometric security is that users can avoid having to remember a password or other secret combination to authenticate and prevent malicious users from accessing their device. In a system with strong biometric security, only the primary user can access the smartphone.
Resource monitoring in the smartphone
When an application passes the various security barriers, it can take the actions for which it was designed. When such actions are triggered, the activity of a malicious application can be sometimes detected if one monitors the various resources used on the phone. Depending on the goals of the malware, the consequences of infection are not always the same; all malicious applications are not intended to harm the devices on which they are deployed. The following sections describe different ways to detect suspicious activity.
Battery
Some malware is aimed at exhausting the energy resources of the phone. Monitoring the energy consumption of the phone can be a way to detect certain malware applications.
Memory usage
Memory usage is inherent in any application. However, if one finds that a substantial proportion of memory is used by an application, it may be flagged as suspicious.
Network traffic
On a smartphone, many applications are bound to connect via the network, as part of their normal operation. However, an application using a lot of bandwidth can be strongly suspected of attempting to communicate a lot of information, and disseminate data to many other devices. This observation only allows a suspicion, because some legitimate applications can be very resource-intensive in terms of network communications, the best example being streaming video.
Services
One can monitor the activity of various services of a smartphone. During certain moments, some services should not be active, and if one is detected, the application should be suspected. For example, the sending of an SMS when the user is filming video: this communication does not make sense and is suspicious; malware may attempt to send SMS while its activity is masked.
The various points mentioned above are only indications and do not provide certainty about the legitimacy of the activity of an application. However, these criteria can help target suspicious applications, especially if several criteria are combined.
Manufacturer surveillance
In the production and distribution chain for mobile devices, it is the responsibility of manufacturers to ensure that devices are delivered in a basic configuration without vulnerabilities. Most users are not experts and many of them are not aware of the existence of security vulnerabilities, so the device configuration as provided by manufacturers will be retained by many users. Below are listed several points which manufacturers should consider.
Remove debug mode
Phones are sometimes set in a debug mode during manufacturing, but this mode must be disabled before the phone is sold. This mode allows access to different features, not intended for routine use by a user. Due to the speed of development and production, distractions occur and some devices are sold in debug mode. This kind of deployment exposes mobile devices to exploits that utilize this oversight.
Default settings
When a smartphone is sold, its default settings must be correct, and not leave security gaps. The default configuration is not always changed, so a good initial setup is essential for users. There are, for example, default configurations that are vulnerable to denial of service attacks.
Security audit of apps
Along with smart phones, appstores have emerged. A user finds themselves facing a huge range of applications. This is especially true for providers who manage appstores because they are tasked with examining the apps provided, from different points of view (e.g. security, content). The security audit should be particularly cautious, because if a fault is not detected, the application can spread very quickly within a few days, and infect a significant number of devices.
Detect suspicious applications demanding rights
When installing applications, it is good to warn the user against sets of permissions that, grouped together, seem potentially dangerous, or at least suspicious. Frameworks like such as Kirin, on Android, attempt to detect and prohibit certain sets of permissions.
Avoid heavily customized systems
Manufacturers are tempted to overlay custom layers on existing operating systems, with the dual purpose of offering customized options and disabling or charging for certain features. This has the dual effect of risking the introduction of new bugs in the system, coupled with an incentive for users to modify the systems to circumvent the manufacturer’s restrictions. These systems are rarely as stable and reliable as the original, and may suffer from phishing attempts or other exploits.
Improve software patch processes
New versions of various software components of a smartphone, including operating systems, are regularly published. They correct many flaws over time. Nevertheless, manufacturers often do not deploy these updates to their devices in a timely fashion, and sometimes not at all. Thus, vulnerabilities persist when they could be corrected, and if they are not, since they are known, they are easily exploitable
Guidelines
Guidelines for Mobile Phones and Tablets
- Label your device with your name and a phone number where you can be reached to make it easy to return to you if it is lost, even if the battery is dead.
- Configure a passcode to gain access to and use the device. This helps prevent unauthorized individuals from gaining access to your data.
- Set an idle timeout that will automatically lock the phone when not in use. This also helps prevent unauthorized individuals from gaining access to your data.
- Keep all software up to date, including the operating system and installed “Apps”. This helps protect the device from attack and compromise.
- Do not “jailbreak” or “root” your device. “Jailbreaking” and “rooting” removes the manufacturer’s protection against malware.
- Obtain your apps only from trusted sources such as the Apple iTunes Store, Google Play, or the Amazon App Store for Android. This helps you avoid malware which is often distributed via illicit channels.
- Enroll your device in a managed environment. This helps you configure and maintain your security and privacy settings.
- Enroll your device in Find My iPhone or an equivalent service. This will help you locate your device should it be lost or stolen.
- If your device supports it, ensure that it encrypts its storage with hardware encryption. In conjunction with a management service or “Find My iPhone,” this can allow data to be removed quickly in the event that the device is lost or stolen.
Guidelines for Portable Storage Devices
Portable Storage Devices are usually large capacity devices that are easily moved from place to place (e.g., USB memory sticks, removable hard drives, etc).
- Devices which are used to store or transport Prohibited or Restricted data must be encrypted. The Information Security Office recommends that you use the self-encrypting, FIPS 140-2 Level 3 qualified Aegis Secure Key flash drive. This device has an “Administrator PIN” feature and self-wipes if it is attacked. It is available from Stanford’s SmartMart — search for “Apricorn Aegis Flash Drive” — and other popular vendors. Confirm that a non-trivial password has been set on your Aegis Secure Key prior to using it.
Guidelines for Mobile Computing Devices
Keep a Clean Machine – Mobile devices are computers with software that need to be kept up-to-date (just like your PC, laptop or tablet). Security protections are built in and updated on a regular basis. Take time to make sure all the mobile devices in your house have the latest protections. This may require synching your device with a computer.
- Keep security software current: Having the latest mobile security software, web browser, and operating system are the best defenses against viruses, malware and other online threats.
- Protect all devices that connect to the Internet: Computers, smartphones, gaming systems and other web-enabled devices all need protection from viruses and malware.
Protect Your Personal Information – Phones can contain tremendous amounts of personal information. Lost or stolen devices can be used to gather information about you and. potentially, others. Protect your phone like you would your computer.
- Secure your phone: Use a strong passcode to lock your phone.
- Think before you app: Review the privacy policy and understand what data (location, access to your social networks) the app can access on your device before you download.
- Only give your mobile number out to people you know and trust and never give anyone else’s number out without their permission.
- Disable the geotagging feature on your phone
Connect with Care – Use common sense when you connect. If you’re online through an unsecured or unprotected network, be cautious about the sites you visit and the information you release.
- Get savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your phone.
- Protect your $$: When banking and shopping, check to be sure the site is security enabled. Look for web addresses with “https://” or “shttp://,” which means the site takes extra measures to help secure your information. “Http://” is not secure.
- When in doubt, don’t respond: Fradulent texting, calling and voicemails are on the rise. Just like email, requests for personal information or for immediate action are almost always a scam.
Be Web Wise – Stay informed of the latest updates on your device. Know what to do if something goes wrong.
- Stay current. Keep pace with new ways to stay safe online: Check trusted websites for the latest information, and share with friends, family, and colleagues and encourage them to be web wise.
- Know how to cell block others: Using caller ID, you can block all incoming calls or block individual names and numbers.
- Use caution when meeting face-to-face with someone who you only “know” through text messaging: Even though texting is often the next step after online chatting, it does not mean that it is safer.
